Tag Archives: ISO

Finally the latest version of Ubuntu 11.10 or code name Oneiric Ocelot was release yesterday. Currently I'm downloading from two server which first from local server Bycraft and UK mirror site. Bycraft server very slow maybe of the traffic of local who want to do try or use the new Ubuntu and there only few local repository in Malaysia.

Introduction

These release notes for Ubuntu 11.10 (Oneiric Ocelot) provide an overview of the release and document the known issues with Ubuntu 11.10 and its variants.

Release Overview

Oneiric Ocelot includes new releases of all major flavors of Ubuntu: desktop, server, cloud, Kubuntu, Xubuntu, Lubuntu, Edubuntu, Mythbuntu, and Ubuntu Studio. For Ubuntu, this release provides a full Unity experience, even without 3D hardware acceleration, promoting Unity 2D to the primary fallback shell. LightDM steps forward as the login manager for Ubuntu, Edubuntu, Xubuntu, Mythbuntu, and Ubuntu Studio. It also includes a customized Unity greeter. Kubuntu showcases the best and the newest features of the KDE Platform, Plasma Workspaces, and Applications (including the Muon Software Centre). Ubuntu Server introduces a technical preview of Juju – a modern approach to service deployment and orchestration on cloud and bare metal environments, and support for the ARM architecture.

Ubuntu

New Features

Lenses and Interface Changes

11.10 includes a new release of compiz and Unity. Highlights of this release are:

A new Alt+Tab switcher.

"Places" are renamed to "Lenses". This feature now also integrates multiple sources and advanced filtering options like ratings, range, and categories.

The Dash has a new music lens, linked to Banshee, that searches your personal and online music collections.

Ubuntu Software Center 5.0

11.10 includes Ubuntu Software Center 5.0, featuring a completely revamped interface that provides a simpler and more enjoyable experience for browsing, searching, and managing your software. The navigation tree view pane from previous Ubuntu Software Center versions has been replaced by a much cleaner toolbar approach for navigating between views. Top-rated applications are now displayed prominently in the main view as well as in category views, leveraging the extensive database of excellent review data that has been provided over the past year by the Ubuntu community.

Application list views can now be dynamically sorted by top-rated, by name, and also by the date the application appeared in the Center. A dynamic banner has been added to the main view that will serve to highlight interesting new applications as well as themed collections. These banners will be updated regularly, and this, along with the dynamic What's New and Top Rated sections, should help to ensure an interesting and fun experience each time you open Software Center.

Last but not least, OneConf is now built in to keep your installed applications in sync between multiple computers. To activate it, use "File → Sync between computers…".

New ARM subarchitectures

Ubuntu 11.10 introduces two new desktop images for ARM subarchitectures: armel+ac100 for the Toshiba ac100 netbook (NVIDIA Tegra 2 SoC), and armel+mx5 targeted at the Freescale i.MX53 Quick Start development board. Both of these images are "best-effort" community-supported images aimed at developer and hobbyist use.

Revised DVD content

In Ubuntu 11.10 there is now a revised, smaller (in size) DVD based on community feedback over the last few cycles. This new DVD has a more manageable size of 1.5G, and is an extension of our current CD image that includes all the language packs and some other useful applications, such as Inkscape, GIMP, Pitivi, and a more complete LibreOffice suite. All the packages that used to be on the DVD are still available from the archive.

New App Developer Site

Coinciding with the Ubuntu 11.10 release, a significant milestone in the ongoing effort of making Ubuntu a target for application developers has also been reached: the Ubuntu App Developer site launch.

developer.ubuntu.com should now be the central point of reference for any topics related to Ubuntu application development, from creation to publication: porting, sharing, contributing, and finding information. This site should grow organically to provide the tools, share knowledge, and act as the springboard for fostering application proliferation and developer community growth.

New Localized ISO Tools

Ubuntu now provides a set of tools for Ubuntu LoCo teams to create custom images to provide an experience even closer to the culture of the region they cover. After setting the foundations in Ubuntu 11.10, in the next cycle we plan to work with the community on expanding community usage. Learn more.

Updated Applications

Thunderbird is included as the default email client. This now includes menu and launcher integration via Unity.

Backups are easy in Ubuntu 11.10 now that Déjà Dup is included as the default backup tool. Securely store copies of your important data on a separate hard drive, cloud server, or even Ubuntu One.

The new Gwibber landed in Ubuntu 11.10, bringing improved performance and a new interface using the most recent GNOME technologies.

GNOME 3.2 is included and is a major upgrade from GNOME 2.32 included in Ubuntu 11.04. GNOME Classic is no longer installed by default, but can be enabled after installation completes by installing gnome-panel. Note that the indicator status menus have not yet been ported to the new gnome-panel and the default upstream panel layout is used instead of the heavy Ubuntu customizations. GNOME Shell is also available for install.

Synaptic and Pitivi are no longer included in the default install but are still available in the Ubuntu repositories.

Ubuntu Server

New Features

Juju is available in Ubuntu 11.10 as a technical preview. Juju is a service deployment and orchestration framework developed by Canonical and used to deploy and manage services both on bare-metal and in the cloud. Through the use of what we call charms, juju provides you with shareable, re-usable, and repeatable expressions of DevOps best practices. You can use them unmodified, or easily change and connect them to fit your needs. Deploying a charm is similar to installing a package on Ubuntu: ask for it and it’s there, remove it and it’s completely gone.

Orchestra is a collection of the best free software services for provisioning, deploying, hosting, managing, and orchestrating datacenter services. Instead of manually setting up a complex network installation environment, users can now leverage Orchestra to rapidly deploy new servers into production. The process is standardized and fully automated, and thus minimizes manual intervention and ensures consistency. This solution is provided as a response to all user requests that we received for making multiple installs and deployments easier. The core component of Orchestra provisioning is Cobbler and Juju.

Ubuntu Server 11.10 is the first release with support for the ARM architecture. In this last cycle, the Ubuntu Server team worked closely with the Ubuntu ARM team to deliver a technical preview of ARM server support in Ubuntu Server 11.10.

Updated Applications

Former UEC components (including Eucalyptus) are no longer part of the CD image and are no longer included in the security-supported main component of the archive. An upgrade path is provided from from 11.04.

The Xen hypervisor has now been reintroduced as an option in Ubuntu Server.

Ubuntu Cloud

Ubuntu 11.10 introduces the new Ubuntu Cloud Infrastructure and Ubuntu Cloud Guest images. The Cloud Infrastructure images are the successor of the Ubuntu Enterprise Cloud and provide a ready to deploy Infrastructure-as-a-Services (IaaS) based on the Openstack Diablo release. Ubuntu Cloud Guest was previously known as JeOS or UEC-image. This Ubuntu Server image is specially tailored for use in a public or private cloud instance. ARM cloud images are also being built. However, currently no cloud infrastructure can consume ARM cloud images properly. Therefore, these images are available on a best effort basis.

Abstract: SQL injection has been major issues and problem to the web developer that developed web base application and website. Some of the problem can be avoid if the administrator aware of the security holes in their SQL statement and they fixed the vulnerabilities before being manipulate by the hacker or attacker to gain access to modify the system information. These attacks have made the organization loss millions and also the effort done and also their integrity to the client. Counter measurement have been propose to reduce the attack even cannot totally stop and hold the attack because of the flaw in the system. Every database system have flaw and SQL statement can be manipulate to inject the malicious code and Trojan into the system.

Structured Query Language (SQL) is the typical language that used to correspond with a relational database. This prototype was initially developed by IBM with Dr. E.F. Codd’s paper title A Relational Model of Data for Large Shared Data Banks as a model. Its coverage data query and update, schema creation and modification and also data access control. SQL is definite any of two ways, as the letters S Q L, or “sequel”. Both intonations are tolerable, though most skilled SQL user is likely to use the second intonation, according to Plew & Stephens (2002).

SQL is a regular language for right of entry and manipulate database furthermore it can execute queries, retrieve, insert records, update records , delete records, create new databases, create views, create new tables, can set permissions on tables, procedures, and views in addition create stored procedures. SQL have been accepted by American National Standards Institute (ANSI) as a standard and also accepted by International Standards Organization (ISO) in 1987. SQL was implemented in SEQUEL-XRM; IBM prototype in the mid 70’s and then a division of the language employ in the IBM’s System-R. ORACLE became the first commercial Database Management System (DBMS) that have SQL and other commercial product also followed the ORACLE step like SQL/DS, DB2, SYBASE, UNIFY, DG/SQL, INTERBASE and INFORMIX. These trends have made the SQL become the standard for the DBMS or de facto standard, Calero et al (2006)

SQL standard revised in 1989 which few improvement have been made like the referential integrity and SQL2 or SQL-92 published by ISO, complemented after few years later. Calero et al (2006) & Plew & Stephens (2002) state that SQL3 or SQL: 1999 included features object-oriented capabilities, sensitive cursor, user roles, tables’ generalization, recursive query operator and user defined data types. The revised SQL: 2003 version also included new basic data type (multiset, XML, bigint), SQL/XML, extension to make the CREATE TABLE statement, a new MERGE statement and two new sorts of columns (generated and identify). SQL: 2006 revised and included ways of importing, storing and manipulating XML data in the database. The latest revised SQL standard; SQL: 2008 have the features trigger INSTEAD OF, TRUNCATE statement and ORDER BY. The revised have made the SQL function enhanced from time to time according to the needs of the current situation and future.

SQL Implementation

There is lots of application that information stored in the database there is a deficient in test adequacy criteria and test case design procedure specifically design for database program. Mutation approach is another way for SQL queries use as corresponding help for the tester to developing test cases or the base to test automation tools. SQL would be very useful tools for systematically injecting faults in the queries and use these faulty to analysis the effectiveness base on the studies by Tuya, Suarez-Cabal & Riva (2007). These can guidance on test case generation and comparing different assessment for database application.

Libkin (2003) insist that SQL: 2003 have various features which can differentiate from relational algebra which the aggregate function, grouping and arithmetic. Aggregate function is where the command uses to compute like average in a column, others aggregates are MAX, MIN, SUM, AVG and COUNT. Grouping can group the data into values of different attribute and arithmetic allows SQL to apply arithmetic operations into numerical values.

Brass & Goldberg (2006) has investigate classes of SQL queries that syntactically true or correct can be providing unintended result which produce semantic errors. There is a different between syntactic error and semantic errors, whereby syntactic error is in situation the character string entered is not valid SQL statement. Semantic error is the SQL query being done but the result of the query did not produce the wanted result. The result of the query may produce information that may reduce optimization that required by the user.

SQL Injection

Kost (2007) found that majority of application developer underestimate the SQL injection attack. The application developers did not aware or understand the SQL injection attacks. SQL injection vulnerabilities can be done remotely without any application or database authentication because the attacks are simple and easy to execute.SQL have lots of advantages and also have deficiency whereby can affect the performance of the database furthermore the system itself. SQL attack included code injection, SQL manipulation, buffer overflows and function call injection. SQL manipulation is whereby the modification of the SQL statement like operation UNION or WHERE clause to output the unintended result. Code injection or SQL injection where the new SQL statement being inserted into the SQL statement and only worked when multiple SQL statement per database requested supported by the server and these two attack are the common describe attack.

“SQL Slammer” was the worms that infect Microsoft Desktop Engine (MSDE) and Microsoft SQL Server 2000 which exploit the server and cause buffer overflow and cause denial of service attack (DDOS). Hilley (2003) state Slammer worms attack port 1434 and have affected many ISP and organizations in the world. Like the event when one of the sport event website have been infected by malware that infected the Internet Explorer user that do not have Vector Markup Language (VML) patch with Trojan who visit the website. The hackers exploit the website by injecting the SQL injection vulnerability (SQLIVS) because of the auto generated code by Dreamweaver, Ullrich & Lam (2008). The auto generated code generated by the Dreamweaver also affected the JSP, PHP and ASP where the exposure allowed the attacker to insert SQL injection into the website. The attackers use the SQL injection to alter the information or data of the database and this leads to website defacement. Website defacement is where the attacker attacks the website by altering the visual look of the website and although these attack are harmless but it tarnish the organization image. Some of the website defacement being included Trojan or malware in the server and will attack the user who use or visit the website. These attacks have cost million of lost to the company and user because of the downtime by the server and website. The maintaining need to be done fast and the error need to be troubleshoot again and again to reduced the attack so the server live again to be use. The organization need to accountable for the attack and admit the mistake because of poor maintaining and administration of the system.

According to Gollmann (2008) in the year 2006, SQL injection attack rank number two and these vulnerabilities have attack many major website like MySpace and Gmail. These vulnerabilities being categorize into three categories which naïve execution model, circumvention of the same origin policy and inadequate handling of malicious inputs. The attacks exploit the vulnerabilities at the interface between the backend database server and web server. Note to reduce the attack can be done by changing the execution model which the primary or roots of the problem. The SQL queries being constructed before input by the user added. Using bound parameter, the query being compile first with placeholder then on the execution of the compiled script will be replace by the actual user input. Stored procedure or lists of parameter sometimes is the alternative ways to avoid the SQL injection but the there will be occur problem at the server backend. The error messages that appear in the system purposely is to help the developer of the system but it also reveal some of the valuable information and structure design of the system of the database to the potential attacker. The reveal information can be use for the attacker to gain more access since of the expose of their system specification and the attacker just need to dig more information from the internet for the security flaws or based on their knowledge from previous experience.

A paper by Thomas, Williams & Xie (2009) stated that 10% reported of total virtual or cyber vulnerabilities were SQL injection vulnerabilities (SQLIVS). The SQL injection is present when an SQL statement did not keep the input separate and statement structure. The statement input during the runtime send by the application combined with the statement and structure to the database will done the modification to the database data and also structure. They have provided solution to SQL injection by using a prepared statement replacement algorithm to remove the vulnerabilities. PSR-algorithm has removed the threat of SQL injection by moving the minimal manual intervention and does not need to be integrated into the runtime environment system which unlike the other which requires to be integrated to provide solution. The prepared statement generated code produce the same queries for standard data as the original. This PSQ-Algorithm can expand in the future for other solutions and others language as well and also as a technique of implementing the prepared statement to replace the algorithm. These prepared statement reduce the attack but the system administrator need to analyze and make sure the prepared statement will not be use by the attacker and also burden the backend server that contain the database. If the backend server process more than it could the other problem will occur like server overload and might need to reboot or the system hang.

But in the article by Kardkovacs & Tikk (2007) stated that ISA-algorithm did not mind about the uncertainty while transformation procedure is not unsuccessful. It’s creating any possible solution base on the knowledge base that acquired. Whereby if the transformation succeed there will be well formed query result and if not succeed, the query will produced no real uncertainty since there were no substitute to be presented. The algorithm proposed by the author cannot solve expression with symbolic sense or wider, term which assume deeper human knowledge, derivatives of predicate verbs and idiomatic expressions. The most common form of SQL injection attack (SQLIAs) was incorrectly passed parameters, incorrect type handling and incorrectly filtered quotation characters. The attack include the code injection attack whereby the technique input the code into a computer system or program and exploits the vulnerabilities, Mitropoulos & Spenellis (2009). These actions can make the hacker or other user viewing the sensitive data, modified and also destroy the data which also can crash the system. The data destroy by the attacker might be data that valuable to the organization like the client data, organization private information and other which losing the data might threaten the organization to run their business also the trust from their client and potential client for their business.

Morgan (2006) stated that to secure database from SQL injection attack couple preventive measurement can be done to reduce the attack. The counter measurement is by limit the SQL server running with minimal privileges’ access for example not as SYSTEM or as administrator, lock down the SQL server, restrict the SQL server‘s from accessing the file system and the cmd.exe command, only allowed the web application to perform actions from the stored procedure which help to sanity checking the query to prevent the SQL injection, implementing effective parameter validation where its rejecting any query that contain bad parameter and implement effective network level access control. The preventive measurement cannot clean out the SQL attack but it just to reduce the attack and if there were an attack the system administrator must check back their system especially the SQL parameter in their system. The limited access among the best procedure to be taken seriously because it help to prevent the attacker to access another system if there were more than one system in the server. The attacker cannot access the other system because of the limited access and the other systems are not vulnerable to the hacker or attacker.

A research by Huang et al (2003) focus on the SQL injection and cross site scripting vulnerabilities in the research because both of the component exist in many web application or website and the detection and avoidance still considered as difficult for the system administrator. Black-box approach chosen by the researcher to analyze web base application externally without needing the source code (white-box approach) where the white-box used goes together with black-box. Black-box approach tools can perform the analysis and identifying vulnerable sites very rapidly. To use the tools for SQL injection fault, a reverse engineering must be done first to discover all data entry points. Once the reverse engineering process was done, an attempt to inject the system database with malicious SQL pattern into the server-side program as to manipulate perform of the process of user input to determine the pattern. It was found that few testing can be done for web application analysis security test like extracting the syntax and semantic input field, indentifying data entry point, injecting malicious SQL injection pattern to test the system, generate valid data for input field, formatting and sending HTTP request and analyzing the replies and most important things is monitor the browser behavior when it perform active content delivered by the web application. The system administrator can look into the system log and can use web analyzer application included in the server. These logs provide the system activity of the server and record the user activity for the use of the administrator as crucial information or tracking the activities of the system and server.

Prevention of SQL Injection

The query from the application is recognized through by combining the characteristic like the method invocation stack race where the query carry out down to the target method, the table and fields that query uses to retrieve the result and the SQL keyword. Combining these three characteristic create a signature to identified the SQL injection. These characteristic make the query sent to the database will be narrow piece down the query and remove the number and also string literals. SDriver is prototype applications that use to prevent SQL injection attack to the web base application. The function of SDriver can associate queries with the website and stored the signatures which the previous stored query to avoid bogus results, Mitropoulos & Spenellis (2009). SDiver provided for free because the code were release under the open source license which enable other user to use it for free and also the user can modified or customize it according to the need and requirement of the user system. These modifications will fulfill the system needs and help the system administrator to maintain the system more efficient and help the organization functionality with the system.

Fallon, Llewellyn & Smith (2008) stated that in ORACLE have introduced new notation that contained value placeholder and name place holder. Few rules have formed for prevent SQL injection; SQL statement declared as constant and assigning the values for transitional query result. Nested block-statement sometimes needed so the code review easier because the readable by the reader The administrator must understand by SQL syntax template term and know how to differentiate a dynamic SQL syntax as well as static SQL syntax. Defining SQL injection as the implementation of SQL statement with an unintended SQL syntax because every SQL statement executed using dynamic SQL syntax is possible to be exposed to SQL injection. The client must not have direct access to the system but via SQL API also know as control privileges where help limit the attacker access to other system. Design of the system must made thoroughly and the rational of every SQL statement included value placeholder in SQL syntax template where both dynamic SQL and static SQL template. Also use simple name placeholder in the SQL syntax template. Created and use of the ORACLE supplied API’s where designed to execute the SQL statement. The API’s helps the administrator in maintaining the security of the database. These known API’s has advantages because have been burns test by the developer before being release and any update or error the developer will notice the administrator for their action.

SQL injection attack can be reduced by just making programming changes as proposed by Kost (2007). Among idea were bind variable, input validation, function security and error messages. Bind variable where the application coding should be bind in all SQL statement and never concatenating together the string and passed parameter. This bind variable must be use for every SQL statement executed by the web application although this bind variable will added extra line in the coding but as security this won not be matter to the developer. Input validation make every string parameter that passed will be validated. If the system did not use bind variable, special database of character will be remove before send to process the query. SQL injection attack also is done by using the standard and custom database function that have in the application system like by default grant the access to the public. Error message that exist during the execution can be use by the attacker to gain knowledge about the web application itself. Relatively produced the error to the user its advisable the error message produced in the error log where the access to the log only can be gain only by the administrator only.

Conclusion

SQL is very useful in manipulating the data in the database system to retrieve information that require by the user. The manipulating is very useful but certain people especially the attacker or hacker use the vulnerability to take advantages of the web base application for their interest. They use SQL injection attack to extract confidential information or make modification to the database which leads to loss to the organization. Many have reported that the attack have made them lost of millions of money and also the effort made by them. Few counter measurements must be made to reduce even it hard to stop fully the SQL injection attack like use the SQL stored procedure or lists of parameter sometimes is the alternative ways to avoid the SQL injection, hidden the error messages to the user and most crucial is when designing the web application system, everything must took into consideration whether the SQL statement use, bound statement syntax and other things. Usually the system administrator overlook because did not done the analysis thoroughly and look as whole of the system. In ORACLE for example have API’s that help the administrator in designing and embedded it into their system for security. The API’s prevent the user from accessing the system directly by filtering by another application. SQL injection attacks have made lots of lost in money, effort and corporate image or trust to the organization. Even big company including antivirus developer website have these problem and have tarnish their image in where their product purposely developed to stop the attacker but their system being attacked.